First prohibition order due to Google Analytics

Collecting data via Google Analytics without obtaining the prior, explicit consent of website visitors? This was possible for a long time but the LfDI Rhineland-Palatinate (State Representative for Data Protection and Information Freedom Rhineland-Palatinate) has now thrown down the gauntlet to website operators who gather analysis data without users’ consent – and has already issued its first prohibition orders.

Citing “legitimate interest” as a legal basis when using Google Analytics according to Art. 6 Paragraph. 1 lit. f GDPR, as has been typical in the past, has been ruled as unacceptable by the LFDI Rhineland-Palatinate in its statement.

The reason is that it cannot be assumed that users visiting a website are aware of their data being evaluated and forwarded to Google. Not even when the IP address is anonymised beforehand. In fact, it must generally be assumed that there is an information deficit on the user’s side.

This means website operators wishing to use Google Analytics or similar web analysis or tracking tools must obtain explicit consent from the users (Art. 6 Paragraph. 1 lit) in order to comply with applicable data protection laws – and in every case before a tracking pixel is loaded.

Background: Other data protection authorities in addition to the LfDI Rhineland-Palatinate have positioned themselves in recent months with respect to Google Analytics and similar analytical tools. The Bavarian State Office for Data Protection Supervision likewise draws upon the ECJ’s ruling, in its statement from November 2019 dealing with active consent to use cookies.

The prevailing opinion: Non-essential cookies e.g. those for marketing or statistical purposes always require explicit user consent – including for the use of Google Analytics.

Website operators wishing to continue to use Google Analytics as an analytical tool must ensure they have prior, explicit consent from users to gather and process their data for this purpose.

✔ It must be explicit.

⇨ e.g. through the user actively opting in by ticking a box or by sliding a switch.

✔ It must be informed.

 ⇨ The privacy statement must contain information about the use of Google Analytics and cookies.

✔ It must be revocable.

⇨ The user must be able to revoke his or her consent to the use of Google Analytics at any time – and this as easily as the consent was given.

✔ It must be documented.

⇨ Consent must be proven in the event of an audit through a court or data protection authority.

Detailed information about the subject of “GDPR-compliant consent” can be found here.

You want to know more about the Usercentrics CMP? Please feel free to contact us.